Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
13/02/2024, 20:30
General
-
Target
comparendo24755693025simitverenlineacgbindata.exe
-
Size
781KB
-
MD5
4848c2aa032ded794410ebc729fc18a2
-
SHA1
ba4200a24bbd4f70594e72414493a350b4c95608
-
SHA256
63bd1085581bf0a8f7c9b01eb5d3a2d551fcc671a3916064891ea85c00d24669
-
SHA512
05e9bded510f16f06364ae913f1f494434b1cff4723213dbda1ebdf8da21ffa42764252e129d9e74fe501b5b273884b07213edf81efe24ec14692752f78b714b
-
SSDEEP
12288:2rD64vvpqDUB/B1idOmEigAqiiqwTFTBK/cOV682wiVZe+0Ks:8DxvuUB7idOmEHNqsxBHOR2rVZAKs
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs
-
Modifies security service 2 TTPs 4 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\comparendo24755693025simitverenlineacgbindata.exe"C:\Users\Admin\AppData\Local\Temp\comparendo24755693025simitverenlineacgbindata.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\comparendo24755693025simitverenlineacgbindata.exe"C:\Users\Admin\AppData\Local\Temp\comparendo24755693025simitverenlineacgbindata.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\comparendo24755693025simitverenlineacgbindata.exe" /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "iTelemetryLogtte" /f3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe"C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe"C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe"C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\Gret\Vepre.exe" /f5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "iTelemetryLogtte" /f5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD527b2fec2a6283b09ef15bd709cb96c3d
SHA1728585dd6390edf7806524dcf4bf18139632a001
SHA256451a266b23424f3075e68b990cb90c7c177d48a64688c39ee77a4e9e239cf311
SHA512bb10e90a881b259b1b90e54a1451f660c96e900576000a294cd1311ac5a6d3b3567cc7ad169ed26ff38719d65462ad31b2247e0f80118dd693f45927255de50b
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD55f1d5424e27e1101b3cd7cd91fe8a233
SHA1e821ffa5b914f7796cbfa123fcbd35b5a5a8f8b7
SHA2562a3d908593168e095fd3586b1de75cb442ab66286bafcfc1b994bdeccf95aa24
SHA512fd6f3e352e16b629ad555cd360bc1af64749a8a2eeca1e539ed03b6c09aaa18ecc1fb88012c062170d3b7e5ebcba59e41c959efb4d5168bec209c09a096fc0b9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
781KB
MD54848c2aa032ded794410ebc729fc18a2
SHA1ba4200a24bbd4f70594e72414493a350b4c95608
SHA25663bd1085581bf0a8f7c9b01eb5d3a2d551fcc671a3916064891ea85c00d24669
SHA51205e9bded510f16f06364ae913f1f494434b1cff4723213dbda1ebdf8da21ffa42764252e129d9e74fe501b5b273884b07213edf81efe24ec14692752f78b714b
-
Filesize
179KB
MD5f8cbb6ba48c479fc935d0c3cf230de53
SHA1038816489d42a07081fa0e2d8682c48b3573b96a
SHA25684a437dcbc861a7e14ee0e9bdc4bde620a7544b8b1126f3573da11e112274e48
SHA51271895239add1a67813bb55dd2bd191f4f2690fb27625d42767d3aa0929544cb6204ded669620f086aab885f54176f43d501f2c4809c5b435c4c6c5b888ae62de
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
120KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
584KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
808KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB